date:20230921

Bug#1052433: bookworm-pu: package pam/1.5.2-6+deb12u1

2023-09-21 Thread Sam Hartman

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: p...@packages.debian.org, Guido Berhoerster 

Control: affects -1 + src:pam


[ Reason ]

Before the bookworm freeze, I introduced a --disable option to pam-auth-update 
so you could programatically disable a pam profile.  (You can also muck around 
in debconf and then call pam-auth-update --package, at least under some 
circumstances, but this is a better interface.)
Unfortunately, I had a bug,  and the next time pam-auth-update is run, the 
profile will be enabled again.

The fix is trivial and is covered by a updated autopkgtest.
Debian-edu says they would like this change in bookworm so they can
disable ldap auth in favor of Kerberos.  I think this is low risk.

I have also included translation updates.


[ Impact ]

Debian-edu will have to work around this somehow.  The new --disable option 
won't work in many situations.

[ Tests ]

Autopkgtests have been updated to confirm the fix; I confirmed the old code 
fails and the new code passes.
I've also tested manually.



[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
git diff debian/1.2.5-6..HEAD

diff --git a/debian/changelog b/debian/changelog
index 83794f03..22c1699d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+pam (1.5.2-6+deb12u1) bookworm; urgency=medium
+
+  * Fix pam-auth-update --disable logic error, Closes: #1039873
+  * Set myself as maintainer; thanks Steve for past and future work.
+  * Updated Turkish Debconf translations, Thanks Atila KOÇ, Closes: #1029002
+
+ -- Sam Hartman   Thu, 21 Sep 2023 14:55:12 -0600
+
 pam (1.5.2-6) unstable; urgency=medium
 
   * Update debian/copyright, Thanks Bastian Germann, Closes: #460232
diff --git a/debian/control b/debian/control
index 4b685f16..9cdc3f81 100644
--- a/debian/control
+++ b/debian/control
@@ -1,8 +1,8 @@
 Source: pam
 Section: libs
 Priority: optional
-Uploaders: Sam Hartman 
-Maintainer: Steve Langasek 
+Maintainer: Sam Hartman 
+Uploaders: Steve Langasek 
 Standards-Version: 4.6.0
 Build-Depends: debhelper-compat (= 13), dh-exec, quilt, flex, libdb-dev, 
libcrypt-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, 
autopoint, libaudit-dev [linux-any] , pkg-config, libfl-dev, 
libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m
 Build-Conflicts-Indep: fop
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index b3de86e7..ac00b1c9 100644
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -162,7 +162,9 @@ push(@enabled,
 # Disable anything explicitly disabled
 @enabled = grep {!$to_disable{$_} } @enabled;
 # And we've seen anything we disable
-delete @seen{ keys %to_disable};
+foreach my $i (keys %to_disable) {
+$seen{$i} = 1;
+}
 
 # an empty module set is an error, so in that case grab all the defaults
 if (!@enabled) {
diff --git a/debian/po/tr.po b/debian/po/tr.po
index 0bd9b64c..19b0c1ef 100644
--- a/debian/po/tr.po
+++ b/debian/po/tr.po
@@ -1,48 +1,40 @@
-# Debconf questions for the Linux-PAM package.
-# Copyright (C) 2007 Steve Langasek 
+# Turkish translation of pam.
 # This file is distributed under the same license as the pam package.
-# Mert Dirik , 2008.
+# Mert Dirik , 2008, 2014.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: pam 0.99.7.1-5\n"
+"Project-Id-Version: pam\n"
 "Report-Msgid-Bugs-To: p...@packages.debian.org\n"
-"POT-Creation-Date: 2021-02-26 10:32-0500\n"
-"PO-Revision-Date: 2014-08-01 14:42+0200\n"
-"Last-Translator: Mert Dirik \n"
-"Language-Team: Debian L10n Turkish \n"
+"POT-Creation-Date: 2021-03-15 18:23-0400\n"
+"PO-Revision-Date: 2022-12-26 12:26+0300\n"
+"Last-Translator: Atila KOÇ \n"
 "Language: tr\n"
+"Language-Team: Debian L10n Turkish \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Poedit 1.5.4\n"
+"X-Generator: Poedit 2.4.2\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
 
 #. Type: string
 #. Description
 #: ../libpam0g.templates:1001
 msgid "Services to restart for PAM library upgrade:"
-msgstr ""
-"PAM kitaplığının yükseltilmesi için yeniden başlatılacak olan hizmetler:"
+msgstr "PAM kitaplığının yükseltilmesi için yeniden başlatılacak hizmetler:"
 
 #. Type: string
 #. Description
 #: ../libpam0g.templates:1001
-#, fuzzy
-#| msgid ""
-#| "Most services that use PAM need to be restarted to use modules built for "
-#| "this new version of libpam.  Please review the following space-separated "
-#| "list of init.d scripts for services to be restarted now, and correct it "
-#| "if needed."
 msgid ""
 "Most services that use PAM need to be restarted to use modules built for "
 "this new version of libpam.  Please

Processed: bookworm-pu: package pam/1.5.2-6+deb12u1

2023-09-21 Thread Debian Bug Tracking System

Processing control commands:

> affects -1 + src:pam
Bug #1052433 [release.debian.org] bookworm-pu: package pam/1.5.2-6+deb12u1
Added indication that 1052433 affects src:pam

-- 
1052433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052433
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

2023-09-21 Thread Boyuan Yang

Package: release.debian.org
Control: affects -1 + src:flameshot
X-Debbugs-Cc: flames...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: by...@debian.org
Severity: normal


[ Reason ]
As reported in https://bugs.debian.org/1051408 , current flameshot
in Debian 11 (Bullseye) will silently upload the current captured
screenshot to imgur without confirmation whenever the corresponding
hotkey is pressed. This imposes a security risk of leaking sensitive
information.

In order to mitigate this issue, I propose to upload flameshot
0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded
in the source code. Users who wish to utilize the img uploading
feature can fill in their own imgur token in flameshot config
window to re-enable the feature.


[ Impact ]
If the update is not approved, users of flameshot will have their
captured screenshot uploaded to imgur by default when the hotkey
is pressed without prompt, which poses a security and information
leaking risk to Debian 11 users using flameshot.

[ Tests ]
Manually tested in a Debian Bullseye VM.

[ Risks ]
Minimum risk as seen from debdiff.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Reset hardcoded imgur token to all zero to invalidate img uploading
functionality by default. For details, please check debdiff attached.

[ Other info ]
Upstream takes a different fix by popping up a confirmation window
whenever an image upload is to be done. The details can be found
at https://github.com/flameshot-org/flameshot/releases/tag/v11.0.0 .
Such solution is not applied here due to the workload in backporting
all UI source code changes.


Thanks,
Boyuan Yang
diff -Nru flameshot-0.9.0+ds1/debian/changelog flameshot-0.9.0+ds1/debian/changelog
--- flameshot-0.9.0+ds1/debian/changelog	2021-07-22 18:10:19.0 -0400
+++ flameshot-0.9.0+ds1/debian/changelog	2023-09-21 13:16:48.0 -0400
@@ -1,3 +1,20 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * debian/patches/0006-Disable-default-imgur-token.patch:
+Disable default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This patch strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+(Closes: #1051408)
+
+ -- Boyuan Yang   Thu, 21 Sep 2023 13:16:48 -0400
+
 flameshot (0.9.0+ds1-2) unstable; urgency=high
 
   * debian/patches/0003-Disable-automatic-update-checking-by-default.patch:
diff -Nru flameshot-0.9.0+ds1/debian/NEWS.Debian flameshot-0.9.0+ds1/debian/NEWS.Debian
--- flameshot-0.9.0+ds1/debian/NEWS.Debian	1969-12-31 19:00:00.0 -0500
+++ flameshot-0.9.0+ds1/debian/NEWS.Debian	2023-09-21 13:16:48.0 -0400
@@ -0,0 +1,16 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * This version disables the default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This version strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+.
+For more information, check out https://bugs.debian.org/1051408 .
+
+ -- Boyuan Yang   Thu, 21 Sep 2023 13:16:48 -0400
diff -Nru flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch
--- flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch	1969-12-31 19:00:00.0 -0500
+++ flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch	2023-09-21 13:16:39.0 -0400
@@ -0,0 +1,45 @@
+From: Boyuan Yang 
+Date: Thu, 21 Sep 2023 13:14:23 -0400
+Subject: Disable default imgur token
+
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+
+This patch strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+to re-enable this functionality.
+
+Bug-Debian: https://bugs.debian.org/1051408
+---
+ src/CMakeLists.txt | 2 +-
+ src/imgur.pri  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+

Processed: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

2023-09-21 Thread Debian Bug Tracking System

Processing control commands:

> affects -1 + src:flameshot
Bug #1052420 [release.debian.org] bullseye-pu: package 
flameshot/0.9.0+ds1-2+deb11u1
Added indication that 1052420 affects src:flameshot

-- 
1052420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052420
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1028489: Please pacakge 1.82, not 1.83

2023-09-21 Thread Thomas Goirand


Hi,

I maintain Ceph, and it needs version 1.82. I don't think it is 
compatible with version 1.83. Please do package version 1.82 in Debian, 
otherwise, I'll have to use the embedded (statically linked) version of 
libbost, which isn't ideal.


Note that Ceph is a key package, because Qemu needs it, and Qemu is 
needed to boostrap new arch, like currently RiscV.


Cheers,

Thomas Goirand (zigo)

Bug#1052433: bookworm-pu: package pam/1.5.2-6+deb12u1

Processed: bookworm-pu: package pam/1.5.2-6+deb12u1

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

Processed: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

Bug#1028489: Please pacakge 1.82, not 1.83

5 matches

Site Navigation

Mail list logo

Footer information